hi sc-l, BSIMM3 was just posted. You can download it from http://bsimm.com
Since the first BSIMM interview in October 2008, we’ve progressed from 9 to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—with about 19 months between measurements on average—providing the software security community with unique insight on how software security initiatives change over time. Assessing 42 individual firms and performing 11 re-assessments required 81 sets of in-depth interviews in just a shade less than three years. Some highlights for the third major release of the BSIMM: * BSIMM3 now includes 42 firms * BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity (all completely revised since BSIMM2) * 11 firms have been measured twice (giving us Longitudinal Study data) and the data show measurable improvement * The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately) * BSIMM3 describes the work of 786 SSG members working with a satellite of 1750 people to secure the software developed by 185,316 developers * BSIMM3 is available for free on the BSIMM website http://bsimm.com<http://bsimm.com/> The BSIMM remains the only measuring stick for software security initiatives based on science. It is extremely useful for comparing the initiative of any given firm to a large group of similar firms. The BSIMM has been used by multiple firms to strategize and plan their software security initiatives and measure the results. We're proud of this work and the data we have gathered. Please let us know what you think. gem, brian, and sammy P.S. p.s. Here are the companies and software security executives participating in this work. Thanks to each and every one of you! Adobe (Brad Arkin), Aon (Trey Keifer), Bank of America (Jim Apple), Capital One (Bryan Orme), DTCC, EMC (Eric Baize), Fannie Mae (Ted Jestin), Google (Eric Grosse), Intel (Jeff Cohen), Intuit (Shaun Gordon), McKesson (Mike Wilson), Microsoft (Steve Lipner), Nokia (Antti Vähä-Sipilä and Janne Uusilehto), QUALCOMM (Alex Gantman), Sallie Mae (Jerry Archer), SAP (Gunter Bitz), Scripps Networks Interactive (Greg Allender), Sony Ericson (Per-Olof Persson), Standard Life (Mungo Carstairs and Alan Stevens), SWIFT (Peter De Gersem and Alain Desausoi), Symantec (Cassio Goldschmidt), Telecom Italia (Marco Bavazzano), Thomson Reuters (Tom Lawton and Andrew Rowson), Visa (Gary Warzala), VMware (Kris Inglis), Wells Fargo (Eric Kurnie), and Zynga (Chris Peterson). Some companies have chosen to participate anonymously. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________